Improved Security Analyses for {CBC} {MAC}s

Mihir Bellare and Krzysztof Pietrzak and Phillip Rogaway

We present an improved bound on the advantage of any \mbox{$q$-query} adversary
at distinguishing between the CBC MAC over a random $n$-bit permutation and a
random function outputting $n$ bits. The result assumes that no message
queried is a prefix of any other, as is the case when all messages to be MACed
have the same length. We go on to give an improved analysis of the encrypted
CBC MAC, where there is no restriction on queried messages.
Letting $\l$ be the block length of the longest query,
our bounds are about $\l q^2/2^n$ for the basic CBC MAC and
$\l^{o(1)}q^2/2^n$ for the
encrypted CBC MAC, improving prior bounds of $\l^2q^2/2^n$. The new bounds
translate into improved guarantees on the probability of forging these MACs.